Nytro

Dnswalk Tool On Backtrack 5 R3 Description: Dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy. dnswalk is not for the faint of heart. It should NOT be used without a firm knowledge of the DNS RFC's. The warnings and errors must be interpreted within the context they are being used. Something may be flagged as a warning, but in reality it is a really bad error. Conversely dnswalk will flag things as warnings and possibly even errors, but they may actually be perfectly "legal" or normal in your specific situation. dnswalk is not an AI engine. It just provides useful information which you need to interpret. If you use this tool for cracking or otherwise evil purposes, the author hereby considers you a slime-ball. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dnswalk Tool On Backtrack 5 R3

Man-In-The-Middle Attack Using Ipv6 Description: In this video you will learn how to perform a man in the middle attack on IPv6 system. So he will shows us how to setup your attack tools and how to start spoofing etc.. after all the configuration he will shows us how you can Hack the user , And if users logged somewhere you will get the pain text password. So he will shows us this demo on Facebook. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Man-In-The-Middle Attack Using Ipv6

Self Defending Database Description: PDF : - https://hacktivity.com/en/downloads/archives/215/ His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, SCADA,PLC, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book “Oracle Security from the Eye of the Auditor: Attack and Defense” and one of the contributors to "Oracle with Metasploit" project. Alexander has spoken at international conferences such as BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Self Defending Database

Android Security - An Introduction Description: PDF : - https://hacktivity.com/en/downloads/archives/207/ During his studies at the Swiss Federal Institute of Technology Antonio focused on information security topics with a special interest in system, network and software security. While studying, he worked as a part-time Software Engineer for a Swiss cable TV and Internet provider. After graduation he started to work as an IT Risk Officer for a Swiss financial institute where he performed IT risk assessments and technical security audits for business-critical applications and infrastructure components. In this function, he gained experience in technical security testing and IT risk assessment methodologies. In June 2011, Antonio joined AdNovum Informatik AG as a Software Engineer where he works on security-related projects. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Android Security - An Introduction

Post Exploitation – Discovering Network Information In Windows In network infrastructure penetration tests if we manage to exploit one system then it is easy to obtain information for the network that this system is part of.This information is important because in almost every network penetration test the ultimate goal is to become domain administrator and in order to achieve that it is necessary to know the appropriate commands that will help us to gather information about the network that we are already inside.In this article we will see how we can gather information about windows networks that we are conducting the penetration test from the system that we have already exploited. Lets say that we have exploited a windows system and we want to know more about the network that this system belongs to.The first and most common command is of course the ipconfig /all which it will display to us all the information about the network adapters of the host and the Windows IP configuration as the picture below is showing: ipconfig /all Another command is the ipconfig /displaydns which it will display the contents of local DNS cache. Display Local DNS Cache Systems in internal networks most of the times contain shared folders which can be listed with the command net share. System Shares We might also want to discover other internal networks that exist by examining the machine routing table with the command route print. Routing Table The ARP -A command will list all the systems that are currently in the machine’s ARP table helping us to discover other valid hosts. ARP Table We can also use the network diagnostic command of the system to obtain information about operating system,network adapters,network clients and other network configuration with the command netsh diag show all. network diagnostic Another information that is important to learn about the host that we have exploited is to see which other hosts are on the same workgroup.The command that we will need to type is the net view. Discover Hosts on the same workgroup Last but not least the netstat command can be used with the parameters -n -a -o to display all the active connections along with the IP addresses and process ID of each connection. Active Connections Conclusion In this article we saw some common commands and their output that can be used for post exploitation activities in Windows networks.The majority of these commands will help us to identify new hosts and network shares which can lead us to compromise further systems on the network. Sursa: Post Exploitation – Discovering Network Information In Windows

Reverse-Engineering Arrays Dejan Lukan December 19, 2012 Introduction Whenever we would like to reverse-engineer a function, we need to know exactly how the function is being called: its calling convention, number of parameters, parameter types, parameter values, etc. After the Ida analyzes the program, it will create comments for known parameters being passed to known functions. The function names will also be preserved and an automatically generated name will not be assigned to that function. An example of such a function is GetCurrentDirectoryA , a function call we can see in the picture below: We can see that the address of a function GetCurrentDirectoryA is being pushed into register edi. Then we’re moving a hexadecimal value 0×104 into register esi. Let’s ignore the jump instruction for now, since it’s not important at the moment. Then we’re loading some address to the register eax, which is currently unknown, and pushing that address to the stack as an lpBuffer parameter. After that we’re pushing the register esi as parameter nBufferLength to the stack and calling the GetCurrentDirectoryA function. If we go to the MSND website and take a look at the GetCurrentDirectoryA function prototype, we will see the following: We can see that Ida has correctly identified the names of the parameters that we’re pushing on the stack right before calling the GetCurrentDirectory function. If we take a look at the explanation of the function, we’ll figure out that the nBufferLength parameter specifies the length of the buffer for the current directory string, including the null character. The lpBuffer parameter holds a pointer to the buffer that receives the current directory string. If the function succeeds, the return value specifies the number of characters that are written to the buffer, not including the terminating null character. If the function fails, the return value is zero. To get extended error information, call GetLastError [1]. We saw that Ida automatically recognized the parameters that were passed to the GetCurrentDirectoryA function, which can be a great help when reverse-engineering a binary. But we must also mention that Ida doesn’t always know how to identify the parameters being passed to known functions, so from time to time we’ll have to rely on our own knowledge to identify those parameters. In the next part of the tutorial we’ll present a few basic programs and their disassembled versions to show how the higher-level C++ code is compiled into lower-level assembly code. First we must present a few basic programs in C++ we’ll use to compile into their binary form, which we’ll later analyze. We’ll present the C++ code that uses arrays in different situations and then reverse-engineer it in Ida. Global Arrays We know that arrays are contiguous blocks of memory, but we must differentiate between the locations where the arrays are stored. The arrays can be stored in a global scope of the program, on the stack, or on the heap. The first program that stores the array in a global scope of the program, written in C++, is presented below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11[/TD] [TD=class: code]#include int a[10]; int main(int argc, char **argv) { for(int i=0; i a = i; } return 0; }[/TD] [/TR] [/TABLE] We can see that the program is very simple; first we’re creating an array in the global scope of the program, which we’re iterating in the main function of the program and assigning each element their corresponding index. At the end the array will look like this: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 (the index starts at 0). If we compile and run the program right now, it won’t do anything, since we’re not printing the array on the screen. An example of this can be seen on the picture below where we first compiled the program into the array1 executable and later run it on the system: If we open the array1.exe executable in Ida now, the program will be analyzed and Ida will present the start method, which can be shown below: We can see that the start method initializes the stack and then calls the sub_401000 function to do its work. In order to further declare what the executable actually does, we need to examine that function. It’s good if we can first present the graph of how the functions are called in the current executable; the xrefs graph can be seen in the picture below: In the C++ code, we know that we’re assigning the number 11 to the ninth element of the array, so it would be a good idea to search for immediate value 0xB (the number 11 in hexadecimal representation) using the Search – Search immediate functionality. The following window will be presented to us: In the “Value to search” box we entered the value 0xB and checked the “Find all occurrences,” then pressed the OK button. Ida will look for all 0xB immediate constants throughout the program and will display a view notifying us about them. The view will look like on the picture below: We can see that many of the immediate 0xB constants were found, but we’re looking for such a constant in the .text section of the program, so only the first five options are really relevant. Most probably, the fifth option isn’t the one we’re looking for, since it’s comparing the 0xB constant to the value stored in register eax, and we’re looking for an assignment of the constant 0xB to some value. Thus, we need to scroll over only the four options that are left; we’ll quickly find out that it’s the forth option that we’re looking for and it’s located at the 0x004013C3 virtual address. The whole code of the function that also holds the 0x004013C3 location is presented on the picture below: The function’s name is sub_40138C and it is being called from the function sub_401000 (notice the cross reference). Actually, this is the function that we’re looking for, because the code presented above loops through the array and assigns the appropriate values to each element of the array. The graphical representation of the code above is presented on the picture below: On the loc_4013B7, we can see that we’re comparing the value stored at the [esp+20+var_4] to a constant 9, which is exactly our comparison of a for loop in C++ code. If the number stored at that address doesn’t equal to 9, then the program execution is redirected to loc_4013A4. That subsection increments the specified value by 1 and continues the looping process. When the loop is done, we’re jumping to the last block on the picture above, where we’re storing the 0xB constant in the eax register and overwriting the last entry in the array. Then we’re storing the offset to the cout function on the [esp+20+var_20] and printing the last entry of the array. At the end we’re returning 0 and quitting the program. If we right click on the dword_405020 variable and select “Jump in a new window,” the disassembly of that virtual address will open in a new window as we can see in the picture below: We can see that we’re referencing the dword_405020 variable that is part of the .bss section that holds the variables which can be allocated at compile-time rather than run-time. We know that the .bss section contains the uninitialized global variables that are declared outside any function. After the function is done executing, the memory will look as we can see in the two pictures below; the first picture presents the hexadecimal view and the second picture presents the disassembly view of the memory in question: We can see that both pictures present an array of integers, where the numbers are being increased from 1 to 9 and saved into contiguous memory locations. But why are three out of four bytes marked as zero? It’s because each integer is 4 bytes in size, but we’re only using 1 byte, since the numbers are very small, so the other three bytes must be left at zero. If we take a look at the instruction that writes the number to the specified memory locations, we can see that it’s using the “dword_405020[eax*4]” to index the right element in an array. The usage of eax*4 indicates that each element in an array is 4 bytes long. Local Arrays In the previous example we saw how the array is being accessed and written to when using global arrays where the compiler knows its address at compile-time; but if we try to use a local array, the virtual address to the start of the array is not known in advance, only at run-time. Let’s present the same program we used in the previous example, but move the array inside the main function, so the whole program will look like this: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int a[10]; for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] If we compile and run the program again, it will look like the picture below: We can see that we compiled the program with g++ compiler and when we run it, the program output the number 11 as it should. If we now disassemble the program in Ida and find the function that initializes and declares the array, we will find something like the picture below: Notice the difference in assigning the values to the array. In the previous example, the assignment operations were as follows: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov ds:dword_405020[eax*4], edx mov ds:dword_405044, 0Bh[/TD] [/TR] [/TABLE] The current assignment operations are the following: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov [esp+eax*4+40h+var_2C], edx mov [esp+40h+var_8], 0Bh[/TD] [/TR] [/TABLE] Before we used the global variable for which the space has already been assigned at compile-time: the dword_405020 variable. But with the local array there is no default variable that is assigned at compile-time. Instead, the space in memory is assigned dynamically at run-time. At the latter example we can see that the index to the array is calculated with [esp+40h+eax*4+var_2X] index, which is a clear indication that the ESP register is also used to define the exact memory location, so the array must be local and declared on the stack. When the global array was used, the dword_405020 variable was used to define the exact virtual address of the memory location, but here it’s the ESP register. The var_2C is a local variable that holds a negative number that needs to be added to the ESP virtual address to get the address of the array on the stack. When assigning 0xB constant to the ninth element of the array, the var_8 local variable is used, which is used to calculate the exact address of the ninth element on the local array variable on the stack. The var_2C local variable holds the value of -0x2C, while the local variable var_8 holds the value -0×8. The [esp+eax*4+40h+var_2C] is evaluated as [esp+14h], [esp+18h], [esp+1Ch], etc, while the [esp+40h+var_8] is evaluated as [esp+0x38]. This makes perfect sense and exposes all the virtual addresses of all the elements of local array. The first element a[0] is located at [esp+14h], the second argument a[1] is located at [esp+18h], etc, and the last argument a[9] is located at [esp+38h]. Heap Arrays There’s one more place where we can allocate arrays: on the heap. To do that, we must introduce the new keyword into the C++ program. If we rewrite the program so it will use the heap for storing the array, the actual code will look like the one below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int *a = new int(10); for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] Notice that the use of new keyword operation reserves space on the heap at run-time. The picture below presents the compiling and running the program the same way as we already did in the previous two examples. When we load the array3.exe executable into Ida, we can quickly locate the relevant function inside it, since the program is basically the same as before. The graphical overview of the relevant code is presented in the picture below: In the first block above, we’re initializing the stack and then moving the value 0×28 to the stack, which is the first and only parameter to function Znaj, which symbolizes the call to the new keyword. The 0×28 bytes is exactly 40 bytes, which is: 10*4=40 bytes (10 elements of the array). After the initialization, the virtual address is stored in eax register, which is then saved into the [esp+20h+var_8] variable on the stack. The [esp+20h+var_4] value holds the index to the array, which is first initialized at 0 and then increased to 9. The “mov [eax], edx” instruction saves the current index value on the address returned by the new operation, which is a memory region on the heap. Conclusion We’ve seen different uses of arrays in assembly language. The easiest way to figure out we’re dealing with an array is noticing the use of eax*4 index, which increases the array index in each iteration by 4. References: [1]: GetCurrentDirectoryA function, accessible on http://msdn.microsoft.com/en-us/library/windows/desktop/aa364934(v=vs.85).aspx. Sursa: InfoSec Institute Resources – Reverse-Engineering Arrays

Reverse Engineering Structures Dejan Lukan December 18, 2012 Introduction In this part of the tutorial, we’ll take a look at how we can figure out a structure when reverse engineering a binary. First, we must write a C++ program that declares and uses the structure, so that we’ll be able to reverse engineer it. The basic difference between arrays and structures is the fact that we’re using an index to address consecutive elements of the array, whereas with structures we’re using named members to access specific data within the structure. When working with structures, we must keep in mind that the size of the structure is declared as the sum of all its data members aligned on word boundary in memory. What does that mean? It means that the compiler will align each data structure on a 4-byte boundary, so it can read and write member values from memory more efficiently. Global Structures The program written in C++ that uses global structures can be seen below: #include <iostream> struct s { int x; int y; int z; double value; } mys; int main(int argc, char **argv) { mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } Let’s compile and run the program to see what it does. We can do that by downloading the MinGW software package in Windows and issue the two commands that can be seen on the picture below: We compiled the program with the g++ compiler and after running it, the program outputted the number 9.9. In the source code of the program, we’re first defining a structure that has four members: variable x, an integer; variable y, an integer; variable z, an integer; and variable value, a double. The structure can represent points and their values in a three-dimensional space. We’re also defining an instance of the structure named mys when declaring the structure: note that this is just a shortcut to declaring the structure in a normal way like “struct s mys.” If we load the program in Ida, we can quickly find the following disassembly that initialized the numbers 1, 2, 3 to the x, y, z members of a structure and which defined the value of member ‘value’ to be 9.9. The disassembly can be seen on the picture below: In the assembly code, we can see the direct assignment of values 1, 2, 3 and 9.9 to a certain memory location by using the variables dword_405020, dword_405024, dword_405028 for variables x, y and z and dword_405030, dword_405034 for variable ‘value’. In the assembly code, there is no math involved at all, so we really can’t be sure if the structure is involved or not. The way we see it, the program references a few global variables rather the members of the structure. Local Structures First let’s present the C++ program that allocates the structure locally and declares its members. Basically, the program is the same as with the global structures, except that the structure is declared locally; all the rest is the same. The whole C++ program is as follows: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { struct s mys; mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } We can see that we’re first declaring the structure with four members: variable x, y and z that are of type int and variable ‘value’ that is of type double. We can copy the program to Windows executable, compiling it and running it. We can see that on the picture below: Okay, so the program works as expected, because it outputs the number 9.9. But we’re interested in the disassembled version of the program that we can obtain very quickly by opening up the executable in Ida Pro and finding the appropriate section of the executable. The disassembly listing can be seen below: In the disassembly function, we can quickly figure out that we’re using 0×30 bytes for local variables, which is the fact that we’re declaring the structure locally. In the previous example where we declared the structure globally, we only used 0×10 bytes on the stack for local variables. We can also see that this time, we’re now assigning the values 1, 2, 3 and 9.9 to different global variables inside the assembly, yet we’re actually using the stack pointer ESP with the right offsets to access certain members of the structure. The x variable from the C++ code lies at the address [esp+30h+var_18], which means that the local variable var_18 is used to reference the x member of the structure. The same goes for other members, where var_14 is used for member y, var_10 is used for member z and var_8 and var_4 are used for member ‘value’. This gives us the picture that the function is using different local variables to hold the values assigned to them, but in reality we’re defining the members of the previously defined structure ‘s’. When we know how a certain function uses a structure, we can rename the local variables to define the structure more clearly. This also presents another useful feature of Ida: renaming the variables automatically generated by Ida itself. The disassembly of the renamed local variables could look like the picture below: Notice that the local variables that used the offset into the structure are not renamed to define their real members x, y, z and ‘value’? This can be a valuable help if we would like to share our work with others; maybe putting a few comments in there wouldn’t be such a bad idea. Heap Structures Heap structures are basically the same as local or global structures, except that they are defined on heap. I guess we should first present the program written in C++ that does exactly that: it allocates the structure on the heap and then allocates certain values to its members and prints the value stored in memory ‘value’. Such a C++ code can be seen below: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { s *mys = new s; mys->x = 1; mys->y = 2; mys->z = 3; mys->value = 9.9; std::cout << mys->value << std::endl; return 0; } Upon compiling and running the example code above, the program will print the value 9.9 as we can see on the picture below: When we load the program with Ida Pro, we can quickly find the relevant code the above program was compiled into. The assembly version of the above program can be seen on the picture below: Notice that we’re first calling the Znwj function that equals the new function in C++. That function creates a new struct on the heap and stores the pointer to the structure in eax, which we’re writing to the address on stack [esp+20h+var_4]. Afterwards, we’re using this pointer to get access to various structure members by using the appropriate offset into the structure: [eax], [eax+4], [eax+8], [eax+10] and [eax+14]. We’re also passing the 0×18 constant to the new function, which means that the struct’s size is 0×18 (24 bytes). Defining Structures Manually in Ida In the preceding examples we saw how the structures from C++ were translated into assembly code. Let’s summarize how the structure members were accessed in each of the three examples. When we declared the structure globally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov ds:dword_405020, 1 mov ds:dword_405024, 2 mov ds:dword_405028, 3[/TD] [/TR] [/TABLE] When we declared the structure locally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov [esp+30h+var_18], 1 mov [esp+30h+var_14], 2 mov [esp+30h+var_10], 3[/TD] [/TR] [/TABLE] When we declared the structure on the heap, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]mov eax, [esp+20h+var_4] mov dword ptr [eax], 1 mov dword ptr [eax+4], 2 mov dword ptr [eax+8], 3[/TD] [/TR] [/TABLE] We can see that in the second and third case, we’re using offsets to access certain members of a structure. We should tell Ida that we’re dealing with a structure since Ida can only detect the use of a known structure by itself, but it certainly can’t detect using the custom structure as we did in the above cases. We can open the Structures window by going to View – Open Subviews – Structures to see if Ida has detected the use of any structure in the program. Currently there are no structures in this executable as we can see below: There are some comments presented in the structures view that informs us of how we can use the structures window. To create a structure, we can press the Insert key, while the Del key deletes a structure. We want to press the Insert key to insert a new structure. Upon doing that, the following dialog box will pop-up: We need to enter the name of the structure, which is only the letter ‘s’ and press OK. A new empty structure will be added to the Structures windows as can be seen on the picture below: To add members to the data structure, we must position our cursor to where we want the structure to be and press the letter ‘d’. We must then press the letter ‘d’ as long as the added member isn’t the required size as it should be. Afterwards, we can right-click the name, which is by default field_0 and change its name to something else. Using that approach, we must add all members of a certain structure, which in our case are the variables x, y, z and ‘value’. We must also ensure the proper alignment of all the fields in the array. At the end, we can even collapse the structure with the minus ‘-’ sign to represent it in one line; the opposite operation of that is to expand the structure by pressing the plus ‘+’ sign. There is an easier way to create a structure in Ida – we can import the structure written in C/C++ programming language itself by importing the header file into Ida. We can do that by first creating the header file, which will contain only the defined structure itself and nothing else. Then we need to go to File – Load File – Parse C Header File and choose the created header file. Ida will parse and import it and then display the following notification window: The window tells us that the structure was successfully imported. After that, we should go to the Structures window and Insert a new structure with the same name as what we imported from the header file. This will actually add the structure among all the structures in the executable. We can see the structure ‘s’ being added to the structure window below: To use the structure in the disassembly listing, we have to double click on the offset that is being used to reference different members of the structure. Let’s take a look at the following program disassembly: In the picture above, it’s already evident that we renamed the offsets that reference different members of the structure into x, y, z as valueH and valueL. After that, we should double-click on the variable x to be thrown at an actual stack frame memory address (this can be a memory allocated in any section) as follows: Then we should select the first variable of the structure, in this case variable x, and select Edit – Struct Var. This will display a list of known structures within the executable. In our case, only the imported structure ‘s’ is known, as we can see on the picture below: The structure will be applied to the current address and will consume as many bytes as the size of the structure. This is why we must always select the first member of the structure, because the structure will be applied to that memory address and its corresponding higher memory addresses. After the structure is applied to the current memory address, the disassembly will look like the picture below: We can see that it was worth it, because now the disassembly view is much clearer and easier to read. Notice that we now have a local variable named mystruct that is used later by the function to reference different members inside it. Conclusion We’ve seen how structures are reverse engineered in Ida debugger and how to recognize them. But what is more important is the fact that we’ve looked at how to import the structures in Ida and apply them to memory locations, which automatically updates the disassembly view to make it more readable and easier to understand. We should also keep in mind that Ida applies known structures from various system libraries to the executable by default when being analyzed. Usually, different structures are used in different API functions that are part of the system. All the recognized structures will also be added to the structures window, which we can use throughout the program analysis. Sursa: InfoSec Institute Resources – Reverse Engineering Structures

SELinux Raises the Bar Against Intruders: An Introduction Adrian Stolarski December 14, 2012 A task of any operating system is to provide software that strongly increases its security. A lot of programs of this type have been created; some are better than others. What does it look like in terms of Linux? Of course, here we have many more choices when it comes to this type of software, but some software is worth recommending. Some people already know what I mean: SELinux. Why choose this solution? Why do I think it is so different from other software of this type? And the last key question: who really should use it? This series will show what SELinux is and what it offers to each user. I hope that you will find the answer to all your questions. Despite the fact that SELinux uses the basic standards, it really is very revolutionary. This system, as the name suggests is Security Enhanced Linux! So I invite you to read this series and learn about this tool. What is SELinux and where did it come from? Do you want a book definition? Okay, no problem. SELinux is a system with MAC, or Mandatory Access Control. It implements a security policy called RBAC, Role-Based Access Control. This policy is implemented by DTAC, which is Dynamically Typed Access Control, which also translates as the domain name of Access Control System. True, it sounds a bit baffling. But in practice, it is really very simple. It is only the theory that seems highly complicated. And now it’s time forsomething much simpler: a little bit about the history of SELinux All work on SELinux is sponsored by the U.S. National Security Agency. The money goes to the team that is working on SELinux, the Secure Computing Corp. It should be noted that this company also owns all of the patents for the software. The idea of SELinux, a product that we all know today, is not really new; it is 20 years old. In 1992, a new idea for security resulted in a project called Distributed Trusted Match. The project developed some innovative solutions, which became part of an operating system called Fluke. Fluke evolved into Flux, which led to the development of Flask architecture. The Flask architecture was then integrated with the Linux kernel, and the whole newly created project was called SELinux. How did this happen? SELinux was the first security project in the history of scientists from NSA. NSA scientists were the first to have noticed that mainstream operating systems do not have a required critical security to enforce access control and separation of inside information on the requirements of consistency. The result is that most security mechanisms are vulnerable to manipulation and handling, which involves a cascade of consequences. The choice of Linux as a system for the NSA security project was not accidental. Linux was chosen because of two main features: • growing popularity • open developement environment NSA’s intention was to present a functionality that could succeed in mainstream operating systems and at the same time would have a chance to contribute to the improvement of the safety of commonly used operating systems. The project thate has been registered as SELinux resulted from several previous NSA projects. The work of NSA scientists (meaning researchers sponsored by NSA) was not intended to solve existing problems of security and SELinux is in no way an attempt to improve security in Linux. Changes in Linux only covered the introduction of new mechanisms. What is hiding in the middle of SELinux? In fact, three elements of this system should attract our attention. The first is the kernel. At first, SELinux tried several kernels, but today the complete infrastructure of SELinux uses the Linux kernel. It is, of course, slightly modified and is called LSM, Linux Security Modules.This infrastructure provides all possible interfaces that allow you to fully control access to all system objects when they are initiated by user actions. These are, for example, opening a file, creating a new folder, or binding ports. How does it work? Well, SELinux simply connects to the interface and forces the use of the system’s own security policy. From the point of view of the administrator who installs SELinux, this system is simply a patch for the kernel. The second element that I have to mention is that key programs are modified. How does it work in practice? In most cases, SELinux allows all programs a little bit of freedom. They do not need to understand that SELinux is not just Linux. But in any operating system there are some safety-critical software systems that must always be extended to support SELinux. These programs are primarily ssh, ls, ps, xdm, or login. And here again there is a role for the Linux. During installation or download, fully modified versions of these programs are required or security patches must be applied to the source programs to ensure the security of the system. The third and last thing that distinguishes SELinux are its rules, or policy. What is their role? They define access rights, the right to pursue activities in the system, and the behavior of SELinux system. Although I mention them third, they are the most important. These rules determine the effective action of the system. A large part of this article will be devoted to writing the rules and the way they are constructed in the system. The truth is that system administrators never, under any circumstances, should be required to write their own rules for the policy, unless there are custom requirements. However, every administrator should have the knowledge that will allow him to modify the rules to suit the system’s needs. In addition to knowing something and be able to use your knowledge, you need to understand all the rules that already exist in the operating system. How to really grasp the damn thing called MAC? As already mentioned, the system is a method of enforcing SELinux MAC. So let’s see exactly what it means to us as administrators. Well, I managed to find the main principle, applicable to all systems using MAC. In my opinion, it should be this: none of the users of the system has the right to decide in any way the security and rights of access to objects in the system. All of those rights and security should always be defined according to the security policy of the system. In the case of SELinux, they should be reflected in all policy records. MAC policy alone is very often confused with ACL. The facts very quickly refute this myth. In fact, ACL does not carry MAC policy. These lists also have yet another disadvantage. In practice, they are very complicated in terms of configuration and maintaining correctness. You can also say that they are different is in terms of action. ACL always specifies individual use cases, while MAC always sets out general principles. In fact, ACL support has been withdrawn from the Linux kernel version 2.4.x already Why did this happen? Because Linux kernel developers decided that ACLs are not really as good a way to control the powers and actions of the user in the operating system. Despite this, those lists are sometimes used. For example, if we have a Samba server, they are often used, because they allow you to set permissions for all the files from the Microsoft Windows client. Another heavy shortcut, or DTAC As I mentioned earlier, DTAC is Dynamically Typed Access Control, but it is often translated as the domain name of Access Control System. But that’s not what this section is about. Let’s focus on the real features of DTAC. Shall we begin? In the case of DTAC, each of the objects in the system, whether it is a directory, port, or any device, has its own unique type. What does this mean in practice? Some top-down rules are always forced on each object type . These rules in no way depend on the decision of the user, but the system administrator creates and controls the policy. This means that in any system that uses a DTAC, you can create any number of rules, a thousand or a million, and the system is always prepared. In addition, the system has whole sets of rules on how to take action on all objects of each type. We will return to this subject later. In fact, in the case of DTAC, control and validation testing of all rules are much easier than in other cases. As a curiosity, I should mention that IBM has developed a tool, whose main task is to automatically check the consistency and accuracy of security policy DTAC. Another heavy stand, the RBAC As I mentioned earlier, RBAC stands for Role Based Access Control. We can recognize that this is an access control system based on user roles in the system. This term is not often used. Where can we find it? Well, any standard Unix or Linux system has built-in Role Based Access Control. And the truth is that if you look closely at the UNIX system, the roles are always split. There are always certain types of system users, each of whom is entitled to exercise a very limited range of activities. This means that each of them performs a role within the UNIX system. There is another element that qualifies a standard UNIX system to become a system with built-in RBAC. There is something in them called SUID. As you all probably know, SUID can change the user’s role and the actions that can be performed by the user. How does this all work with SELinux? Well, it really is a SELinux RBAC system with built-in rules that are implemented by DTAC. SELinux system also extends what is called the philosophy of SUID. Thus, it can also extend the understanding of the role of users in the system. To summarize quickly: a SELinux system is designed to allow for a much more flexible way, which is also more accurate and much better suited to your needs, to identify and help implement user roles within the system. Summary This is really only a quick introduction to SELinux. The article describes the basics of the mechanism used on a daily basis in this system. It still does not do anything special, but the desire to write a summary of what it is captivated me. On our website, with SELinux we often capture 50 fixes critical to the security system in a very short time, less than seven days. Another decisive advantage is its ease of use. As a Linux system administrator, I have never met a tool that uses such simple rules, yet describes so much. Yet very few administrators so far know the SELinux system. My next article in this series will go a few stepsfurther. Sursa: InfoSec Institute Resources – SELinux Raises the Bar Against Intruders: An Introduction

[h=1]$36,000 USD reward for wanted hacker[/h]Posted by Geetansh Jindal Japan's National Police Agency has offered a monetary reward for a wanted hacker, use programming languages like C# to create a virus called "iesys.exe" and Hijack systems of innocent people to post aggressive messages on Internet on behalf of Users. Method called a "Syberian Post Office" to post messages to popular Japanese bulletin board. Hacker use cross-site request forgery exploit, that allow hackers to making online postings via innocent users automatically. The messages included warnings of plans for mass killings at an elementary school posted to a city website. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker and will pay up to 3 million yen (US$36,000). The case is an embarrassing one for the police, in which earlier this year four individuals were wrongly arrested after their PCs were hacked and used to post such messages on public bulletin boards. "Up until now this type of reward was reserved for cases involving crimes like murder and arson, but the policy has recently been changed to include more types of crimes," an agency spokeswoman said. Sursa: $36,000 USD reward for wanted hacker - Hack Reports

[h=1]Download Nmap 6.25[/h]map 6.25 released with 85 new NSE scripts Download Nmap 6.25 After five months NMAP team release latest version of open source utility for network exploration or security auditing - NMAP 6.25 . It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Updates: integration of over 3,000 IPv4 new OS fingerprint submissions, over 1,500 service/version detection fingerprints, and of the latest IPv6 OS submissions and corrections better IPv6 traceroute support new poll and kqueue I/O engines for improved performance on Windows and BSD-based systems including Mac OS X added support for Unix domain sockets 85 new NSE scripts 12 new protocol libraries Windows 8 improvements targets-sniffer is now capable of sniffing IPv6 addresses a number of bugs affecting the software's security, stability and productiveness fixed. Download Nmap 6.25 Sursa: Download Nmap 6.25 - Hack Reports

[h=1]Windows 8 Security Stresses Exploit Prevention[/h]A look at some of the key security features in the Microsoft's new OS Dec 20, 2012 | 03:32 PM By Kelly Jackson Higgins Dark Reading Windows 8 won't be under the Christmas tree for most enterprises this year: it's too new and Windows 7 remains well-entrenched for now. But with the brand-new Windows 8, Microsoft has continued its strategy of building more security features into the operating system to help deflect attacks. One key theme in Windows 8 security is repelling exploitation: mainly making sure that when – that's when, not if – malware gets in, it can't actually do harm. That's right in sync with a growing sense of fatalism among enterprises and security vendors that has replaced the secure fortress mindset. It's no longer if or when you get hacked, but the assumption that you've already been hacked, with a focus on minimizing the damage. [The goal is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information. See Damage Mitigation As The New Defense.] Windows 8 comes with security features that fit that major shift in security philosophy and approach. "We've made significant investments in Windows 8 to make sure that even if a vulnerability is discovered, the likelihood of a successful attack will have been minimized, if not eliminated," says Stella Chernyak, a member of the Windows 8 team at Microsoft, in a blog post today. Microsoft says it focused on three main areas of security in Windows 8: resisting malware, data encryption, and new authentication. Security experts applaud Windows 8's new features but question whether they mean much right now, especially since few organizations are ready to make the jump to Windows 8. "The bigger issue is the adoption of Windows 8. Nobody I've talked to is campaigning to implement it. Windows 7 is stable, and it doesn't have a crazy interface" like the new version of Windows, says Andrew Jaquith, CTO of Perimeter E-Security. Jaquith gives a thumbs up to the new security features in Windows 8. Still, it remains to be seen whether enterprises that eventually go Windows 8 will adopt the bulk of its security controls, he says. Here's a look at the three main security disciplines in Windows 8: 1. Malware repellant Just like there's no way to stop a determined hacker, there's no way to stop all malware, either. But Microsoft has included the so-called Secure Boot feature, which is based on the new Unified Extensible Firmware Interface (UEFI), which replaces the BIOS. "Secure Boot prevents a computer from booting into an operating system unless the boot loader code is digitally signed with a certificate derived from a key stored in the UEFI firmware," explains Paul Henry, security and forensic analyst at Lumension Security. The new Secure Boot feature in Windows 8 is aimed at blocking stealth malware such as bootkits and rootkits that can wrest control of the machine, according to Microsoft. The digital signature provides verification that the boot-loader code the UEFI reads from disk into memory is from a trusted source. "This effectively mitigates the risk of a malicious 'boot-kit' from being run on boot to facilitate persistent malware," Henry says. But given the rash of stolen digital certificates over the past year or so to sign and spread malware, "the jury is still out" on the ultimate effectiveness of Secure Boot, he says. Secure Boot combined with running Microsoft's AppLocker whitelisting feature and banning side-loading attacks is the best combination to prevent malicious code and apps from infiltrating the machine, Perimeter's Jaquith says. "Then you would get something very close to what [some] smartphones have [with] app modules that are trusted and you can trace them back to a known app source. Integrity can be verified through" Secure Boot, he says. Microsoft also has embedded an updated version of its Windows Defender anti-malware application in Windows 8. Microsoft recommends using just one anti-malware application on the Windows 8 machine, whether it's Windows Defender or another product. Lumension's Henry says Windows Defender has actually fared better than many other AV products in testing. AV Comparatives found that 13 of 17 AV products had equal or inferior heuristics than Windows Defender. "Even when adding behavioral protection in to the mix, Windows Defender still beat the performance of 4 of the 17 well-established commercial products tested," Henry says. Even so, "it shouldn't be your only defense." Overall, the new Windows Defender version is "more robust" than previous versions, says Nick Skrepetos, CTO of consumer software for Support.com. 2. Protecting the data itself. Encryption traditionally has had its woes: "One of the biggest challenges is the sheer amount of time it takes to provision encryption to the device. It can take hours, and in the case of some third party solutions, it can even block end user productivity while the encryption process is taking place," Microsoft's Chernyak says. Microsoft has beefed up BitLocker and BitLocker to Go, its data encryption features, in Windows 8. The OS offers Data-Only Encryption, where BitLocker encrypts only the sectors on the disk that include data. This trims encryption time down to minutes in many scenarios, according to Microsoft. There's also a new flavor of self-encrypting drive feature that works with BitLocker to encrypt data on the fly, using hardware-based processing to speed up the process. "Bitlocker has a new Bitlocker To Go capability that allows the encryption key for Bitlocker to be saved in the users' SkyDrive Account," Henry notes. Next Page: New virtual smart card 3. Authenticating and controlling user access. Windows 8 features Virtual Smart Card, a simplified multi-factor authentication feature. It's a software-based technology that can be used in lieu of physical smart cards. It works with existing smart card apps and management products, and doesn't require a physical card reader. "The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required," according to Microsoft's technical overview of the feature. The idea is to make smart cards more "mainstream" and inexpensive to deploy. Windows 8 also comes with a new access control function called Dynamic Access Control (DAC). It's a rules-based approach that eliminates the static list approach. Other goodies Among some of the other security features in Windows 8 are sandboxing and upgraded versions of Microsoft's Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) attack mitigation technologies. "The improvements to ASLR & DEP are combined with the new Windows 8 application sandboxing capability that effectively limits the access of a compromised application. This feature means the bad guys will be fighting an uphill battle to deliver effective exploits for Windows 8," Lumension's Henry says. Meanwhile, security researchers are already hammering away at Windows 8 for bugs. So far, most of the attacks targeting Windows 8 have basically been scams aimed at confusing and duping new Windows 8 users. Support.com's Skrepetos says his team has mostly seen rogue apps trying to mimic the Windows 8 user interface and trying to get victims to click on a link to "protect" Windows 8 with security applications, for instance. "Windows 8 is still unproven ground. Windows 7 has been around long enough, so there's been more time to [attempt to] exploit" it, Skrepetos says. Sursa: Windows 8 Security Stresses Exploit Prevention - Dark Reading

Aveti si SSL acum

[h=1]Programul de guvernare al CABINETULUI PONTA II, scris pe un Microsoft Word PIRATAT[/h]de Andrei Luca POPESCU Versiunea electronic? a Programului de guvernare a României pentru perioada 2013-2016, dat publicit??ii joi de Guvernul condus de Victor Ponta, este realizat? într-o versiune piratat? a programului Microsoft Office Word. Documentul a fost postat pe pagina de internet a Guvernului României. La propriet??ile documentului Word, pot fi observate numele autorului ?i compania pe numele c?reia este înregistrat? copia programului de redactare pe calculator – Microsoft Office Word. Autorul este C?t?lin Cîndea, angajat al Guvernului la cabinetul premierului Victor Ponta. La numele companiei apare „Grizli777”. O apari?ie comun? pentru utilizatorii de Microsoft Office piratat, „Grizli777” este numele grupului sau individului care s-a ocupat de „spargerea” programului original, prin furnizarea unei licen?e false care poate fi desc?rcat? de pe site-urile de specialitate. Folosind "crack"-ul produs de Grizli777, programul poate fi utilizat f?r? s? fie cump?rat. Sursa: Programul de guvernare al CABINETULUI PONTA II, scris pe un Microsoft Word PIRATAT - Gandul

[h=1]nullcon Delhi 2012: Microsoft EMET Attack Mitigations - By Neil Sikka[/h] EMET is a program that customers can deploy to defend vulnerable software from exploitation without any code changes, binary changes, or recompiling. In this talk, I will show how proof of concept programs that I write can be exploited, and how EMET can stop exploitation of these programs. In demonstrating my programs, I will first run my programs without EMET enabled and show that they successfully exploit the system, and explain how the exploit works. Then, I will enable EMET, and show that the exploit is blocked and the vulnerable program was crashed rather than exploited.

[h=1]nullcon Delhi 2012: Highly Harmful Audio Waves aka DTMF Fuzzing - By Rahul Sasi[/h] Paper would be on DTMF input processing algorithms [DSP] , that are often embed into PBX, IVR, Telephone routers and other devices that process DTMF input. PBX and IVR servers are often deployed for running Phone Banking App Servers, Call Center Application and other systems that uses phone to interact with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through. One such denial of Service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating lot of amusing remote DTMF attacks on Phone Banking, Tele-Voting, and Customer Support applications using DTMF. This talk is recommended for Pentesters, PCI|DSS consultants, Telephone Companies, Banks or anyone who uses a device interacted via Telephone.

[h=2]Topera: invisible IPv6 TCP scanner to Snort[/h] Topera is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort. Snort is the most known IDS/IPS and is widely used in many different critical environments. Some commercial tools (Juniper or Checkpoint ones) use it as detection engine also. Mocking snort detection capabilities could suppose a high risk in some cases. All the community is invited to test it in any environment and we would be thankful if you send us any feedback. We keep researching on the security implications that the "new" IPv6 protocol will have in different environments. This tool was presented in the second edition of the Security Conference "Navaja Negra" (Navaja Negra Conference :: Albacete) by Daniel Garcia a.k.a cr0hn (@ggdaniel) and Rafa Sanchez (@r_a_ff_a_e_ll_o ). If any provider/vendor needs further detailed information or is interested in testing its products please, don't hesitate to contact us In next pictures you can see some executions screenshots: You can see an example of execution of Topera here: Links: http://code.google.com/p/topera/ http://www.iniqua.com/labs/topera-invisible-tcp-scanner/?lang=en Via: Full Disclosure: "Topera" The new IPv6 TCP port scanner invisible to SNORT...

[h=1]Thar' be Vuln. ID's Here - A Data Mining Case Study Matt Jones[/h] hgd6_1-lo&index=8RoxCon 2012

[h=1]Bluetooth Packet Sniffing Using Project Ubertooth - Dominic Spill[/h] hgd6_1-lo&index=7RoxCon 2012

[h=1]A Tale of Two Firefox Bugs - Fionnbharr Davies[/h] hgd6_1-lo&index=6RoxCon 2012

[h=1]Tracking vulnerable JARs - David Jorm[/h] hgd6_1-lo&index=5RoxCon 2012

[h=1]How To Catch a Chameleon: Its All In Your Heap - Steven Seeley[/h] hgd6_1-lo&index=4RoxCon 2012

[h=1]Injecting PHY-Layer Packets without a Bug or your Radio - Travis Goodspeed[/h] hgd6_1-lo&index=3RoxCon 2012

[h=1]Reverse Engineering a Mass Transit Ticketing System - TrainHack[/h] hgd6_1-lo&index=2RoxCon 2012

Hardware Backdooring is Practical - Jonathan Brossard RuxCon 2012

Nu, multumim. Ban.